Data Domain Encryption One Hitters

March 8, 2013

Encryption of Data at Rest or “inline data encryption”

  • Protects from lost/stolen, accidental expose to a lost drive, or intrusion
  • Requires a license
  • Enables data on system drives or external storage to be encrypted, while being saved and locked, before it’s moved to another location
  • All ingested data is encrypted
  • Data that exists on the Data Domain before enabling encryption is not automatically encrypted but can be later


Inline Encryption happens during the Data Domain SISL Process:


  • Segment>fingerprint>Deduplicate (globally compress)>Group>Locally compress>Encrypt


The following Protocols can be encrypted as data is ingested: NFS, CIFS, VTL, DDBoost and NDMP tape server


The available types of Encryption are:

  • 128bit or 256 AES
  • CBC mode
  • Or both CBC (Cipher Block Chaining) and GCM (Galios/Counter mode)


*One important thing to remember is that all data entering DD system will be encrypted; there are NO other granular levels of encryption available


The feature can be enabled on the Encryption tab in File System shows status


Also, do not forget an Encryption passphrase when locking or unlocking file system or disabling Encryption; do not lose your passphrase, this is imperative


File System Locking

  • When encryption enabled DD is being transported, use file system locking; data could be recovered using forensic tools especially if local compression is turned off
  • Requires two-user auth (Security Office Acct and SysAdmin Acct)
  • Encrypts all user data
  • Encrypts all user data, encryption key cannot be recovered



EMC Data Domain deduplication storage systems use RSA BSAFE FIPS 140-2 validated cryptographic libraries

For environments requiring encryption keys to be changed on a periodic basis to meet compliance regulations, RSA Data Protection Manager (RSA DPM) can manage the lifecycle of the encryption key for DD systems.  Policies can be used to rotate keys on periodic basis, delete keys, expire or marked as compromised.  A copy of each key can be stored in a 2nd RSA DPM Server.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: